MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e329ef9c18dd28b50a607d6386fcee5874fe05eb3d32a603d6a751bd78e295c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e329ef9c18dd28b50a607d6386fcee5874fe05eb3d32a603d6a751bd78e295c0
SHA3-384 hash: 04c3a625419b5aad4682b0d7da3fcfe537b54525d37ff2c510867151056c4a1f3cd4dc4699c4536b69bc476cbdd54318
SHA1 hash: 3bee80a6e72d33a22d50ca02131df0319815694e
MD5 hash: 61d76696223dde226e313710e7daf366
humanhash: triple-red-solar-gee
File name:61d76696223dde226e313710e7daf366
Download: download sample
File size:1'979'902 bytes
First seen:2021-06-25 19:46:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 49152:tb7F5x4FnDlfPV8a0yPwE16AviK3LRKt1hQZ4Edp:J54RRPV8a0yPt1pviiMt1hW
Threatray 4'659 similar samples on MalwareBazaar
TLSH 1D958E223AC0807BC2333635494EE379F69EE9314EB5564762911F392E74583AA7C72F
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61d76696223dde226e313710e7daf366
Verdict:
No threats detected
Analysis date:
2021-06-25 19:47:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a2668dcc-fac0-4df7-a926-9b391e23b5d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168387/
Detection(s):
Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11e80976-ea1b-4224-bab2-80dba4b37d4d
Result
Threat name:
CryptOne Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808292
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440703 Sample: UaBuejGEoP Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected Mofksys 2->78 80 5 other signatures 2->80 10 UaBuejGEoP.exe 1 3 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 9 1 2->16         started        19 6 other processes 2->19 process3 dnsIp4 50 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 10->50 dropped 52 C:\Users\user\Desktop\uabuejgeop.exe, PE32 10->52 dropped 106 Drops executables to the windows directory (C:\Windows) and starts them 10->106 21 icsys.icn.exe 2 10->21         started        26 uabuejgeop.exe 10->26         started        108 Changes security center settings (notifications, updates, antivirus, firewall) 14->108 28 MpCmdRun.exe 1 14->28         started        56 127.0.0.1 unknown unknown 16->56 file5 signatures6 process7 dnsIp8 58 192.168.2.1 unknown unknown 21->58 48 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 21->48 dropped 90 Antivirus detection for dropped file 21->90 92 Machine Learning detection for dropped file 21->92 94 Drops executables to the windows directory (C:\Windows) and starts them 21->94 96 Drops PE files with benign system names 21->96 30 explorer.exe 2 14 21->30         started        35 conhost.exe 28->35         started        file9 signatures10 process11 dnsIp12 60 codecmd03.googlecode.com 30->60 62 codecmd02.googlecode.com 30->62 64 2 other IPs or domains 30->64 54 C:\Windows\Resources\spoolsv.exe, MS-DOS 30->54 dropped 66 Antivirus detection for dropped file 30->66 68 System process connects to network (likely due to code injection or exploit) 30->68 70 Machine Learning detection for dropped file 30->70 72 Drops PE files with benign system names 30->72 37 spoolsv.exe 2 30->37         started        file13 signatures14 process15 file16 46 C:\Windows\Resources\svchost.exe, MS-DOS 37->46 dropped 82 Antivirus detection for dropped file 37->82 84 Machine Learning detection for dropped file 37->84 86 Drops executables to the windows directory (C:\Windows) and starts them 37->86 88 Drops PE files with benign system names 37->88 41 svchost.exe 2 37->41         started        signatures17 process18 signatures19 98 Antivirus detection for dropped file 41->98 100 Detected CryptOne packer 41->100 102 Machine Learning detection for dropped file 41->102 104 Drops executables to the windows directory (C:\Windows) and starts them 41->104 44 spoolsv.exe 1 41->44         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e329ef9c18dd28b50a607d6386fcee5874fe05eb3d32a603d6a751bd78e295c0/
Threat name:
Win32.Worm.Mofksys
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 13:12:31 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
3591293a05792261840f36bdbff14ca1eb850764d074ee325cfc9c1351d2d1d9
45b9c1f49df2f13c878a39b37df28a41b1be765654d55b891868f33e32eb30fd
6c094a18d2ab75c95ffc39399cece2eebdb8064f91cec40226be037fb20f64d9
7e6cda4ef7fb776128b314c7a1c2938abffc2ab3def50eac650f2b49a59dc573
9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
c7c2520fd55045ea01727074499c9c691a7a7c18cdc3602edc6cdc316ce45dc1
+ 4'649 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210625-wwm2fbhzd6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
a27124f9f323524473f80afb6ff7a3ff68ee83de22f5176461c114f630ecb50f
MD5 hash:
efc8b6fab8885a7f67c319762505c5b1
SHA1 hash:
150939091ecb883a3354073eaca030cafa26cdec
Link:
https://www.unpac.me/results/caec872d-7b18-4b8c-9968-a12655e77261/
SH256 hash:
e329ef9c18dd28b50a607d6386fcee5874fe05eb3d32a603d6a751bd78e295c0
MD5 hash:
61d76696223dde226e313710e7daf366
SHA1 hash:
3bee80a6e72d33a22d50ca02131df0319815694e
Link:
https://www.unpac.me/results/caec872d-7b18-4b8c-9968-a12655e77261/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e329ef9c18dd28b50a607d6386fcee5874fe05eb3d32a603d6a751bd78e295c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e329ef9c18dd28b50a607d6386fcee5874fe05eb3d32a603d6a751bd78e295c0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168387/

Comments